Category: InfoSec

I am a big fan of planning for “the Big Dark”, where the power is out for more than 3 days. Analog systems, like printed and hand-written records, will be more useful.

Remember: Emergency preparedness isn’t only for you. it is also so others can contact you when something bad happens to them.

There are drawbacks, mostly around family dynamics this article assumes are moot when emergencies happen.

Note: These are my recommendations. Your mileage may vary. I look forward to constructive input on how best to prepare in the digital age.

Keep an off-line list of emergency info & numbers with you

There was a time where people either knew important numbers and information or carried a address book – a printed out, dead tree address book – and a much of change to use a pay phone (remember those?) to call people. We need to embrace at least a subset of that.

In certain countries you may need your ID number as well (though US residents should NOT carry their Social Security card or number).

How about this: keep the numbers of your family and close friends in case your phone dies. I could not call anyone except my children if my phone failed, and they don’t often answer their phones – especially from an unknown caller.

As I’m living in a foreign country I carry a card or two that I can use to get me home. In case you’re traveling, disoriented, or inebriated having a card or two to help you get home can be a life saver.

Carry a bit of cash with you, too, in your wallet.

Keep an off-line list of emergency info & numbers at home

This should be a superset of what you carry with you. Your actual cards and birth certificates and stuff (if they are not in a safe deposit box already) should be in a ready-to-carry locked fireproof box in case of emergency. Bank account information, other financial records, and whatever else needed to rebuild after a disaster should be in here.

Throw some currency in the box, too. While it is in there it isn’t working for you, gaining interest or buying food. But if the power goes out no credit or debit card will help. Having cash will help.

I’ve used the Do Not Disturb feature in iOS since it was introduced. This feature allows you to set “quiet times” when your device won’t alert you with notifications, including phone calls and text messages. It can be activated manually or set to activate at recurring times. I have my set to activate from 10:00 p.m. – 6:00 a.m. each day, mainly to avoid “wrong number” calls at all hours of the night.

You have always been able to set a specific group of people you want to exclude from the Do Not Disturb settings. This can be a group you designate in your Contacts or your iPhone’s Favorites list. For years I’ve created a contacts group called “VIP” that I had excluded from Do Not Disturb that included family and a few close friends and other important numbers. While this is handy, it may not cover everyone you want to be able to reach you in the event of an urgent matter. With iOS 10, you have more granular control and can now set contacts on an individual basis to bypass the Do Not Disturb Settings.

To activate the feature select the contact card you want to exclude, edit the contact and select ringtone. At the top of the ringtone menu you’ll now see a toggle for “Emergency Bypass”.

[Android] Use Google’s Trusted Contacts App

Trusted Contacts runs on top of a pretty simple concept, with the tap of a button an approved list of people can request your location from wherever they may be. Users will need to manually approve who can request their location, and once a request is sent, the user will have 5 minutes to approve or decline the request before the app automatically approves and sends it.

This app takes things up a notch as well by adding offline support, in a sense. If a user heads outside of active cell service and internet access, the app will report the last known location for that user 5 minutes after a request is sent. Contacts can also “walk each other home,” virtually. This essentially enables one user to keep track of another user’s location as a live feed.

… Before you can share your location, though, you first have to go through the process of adding contacts to the application…

How to add contacts:

Open the Trusted Contacts application

If this is the first time setting up the application, Trusted Contacts will walk you through adding contacts

To set up new contacts, either tap on the Add contacts button found at the bottom of the home screen or open the menu by selecting the Menu button in the upper left-hand side of the screen and tap on the Add contacts option

Here you can search through the contacts on your device and select Add next to the individual to send them an invitation to be a trusted contact

Set up lock screen emergency information

This is a old tip but still useful.

Basically take a picture of contact information and make it your device’s lock screen. Tailor the content to provide what is needed without going overboard. Imagine you are passed out on the sidewalk and the only thing people can get to is your phone’s lock screen. What is the critical information you can provide on there that doesn’t open you up to identity theft?

I find this more useful than the login banner message most devices support. One doesn’t have to wait for the message to scroll, where almost all users put the contact email or phone number.

What else?

What other things, simple and inexpensive and effective, that folks should do?

At CircleCityCon, CSO’s Steve Ragan chats with Paul Jorgensen, host of the PVC Security Podcast, about ad hoc processes within many security operations centers (SOCs) and how organizations can prevent these types of mistakes.

I relished talking with Steve Ragan at CircleCityCon in Indianapolis last weekend (Saturday 11 June 2016). He recorded us in a bite-sized elevator-pitch of a summary of a key point or two of my talk, “Top 10 Mistakes in Security Operations Centers, Incident Handling, and Incident Response”.

Yes, our first take failed. We were joined then by Chris Maddalena, my co-host from the PVC Security podcast. Chris couldn’t be bothered to join us for the redo, probably because he was busy winning the whole conference or something.

Not only was I moments away from my talk as Steve mentioned in the open; I left straight from my session to the airport en route to Tokyo for work. You can’t see my luggage lurking behind me in the video.

Many thanks to Steve and IDG.tv for having me on. It was fun, deja vu included.

p.s. – I think the rhyme in the title could have been exploited more #justsayin

Symantec will be filling an important product gap with its acquisition of Blue Coat Systems, Symantec’s interim president and chief operating officer Ajei Gopal said in an interview with Dark Reading this week.

Symantec was smart to buy my company, Blue Coat, and install me as the new president and CEO of Symantec. And as I’m the new Symantec head honcho I agree with the comments made by the former president and CEO of Blue Coat, the company Symantec just acquired.

I thoroughly enjoyed speaking at the conference. Thank you to the audience, who were fantastic. I would be remiss if I did not also thank the CCC organizers for bestowing the honor of speaking upon me.

The talk covered many items: why we build these things called SOC; what is the next generation of SOC; how can we move toward it; how can we leverage a hybrid model and cloud tools to enable the transition. I can’t share the deck. The presentation was not recorded, though cameras captured me in action quite often. Glad I was looking sharp!

It’s been a while since I presented with simultaneous translation into another language. The translators were great. By all accounts they captured not only my words but a bit of my passion and energy.

I’m not sure how my audience received the message. Crowds didn’t up and leave. No one fell asleep, something of a victory for a 4PM talk on day 3. About 130 of an expected 200 showed up. All in all, I think it went well.

I wish there was a question and answer session or a time for Sato-san and me to answer questions one-on-one.

I want to thank my colleague, Sato Takuya, for introducing me and closing out the session. I wish I knew the names of the translators to talk them by name as well.

p.s. – If you are an event organizer and you chose lanyard-attached name tags, please print the information on both sides of the insert card!

Like this:

I’m honored to present at CircleCityCon 2016 on Saturday at 16:00 on “Top 10 Mistakes in Security Operations Centers, Incident Handling & Response” and how to avoid them (https://circlecitycon.com/talks/)

I’m excited by the opportunity and can’t wait to see you there (tickets: https://circlecitycon.com/tickets/). Stop by and say ‘hi’!

I might just have a PVC Security cohort or two around, so don’t be surprised if a PVC Security podcast episode happens.

Let’s Encrypt (previously) a joint EFF-Mozilla-Linux Foundation project that lets anyone easily create an SSL certificate for free in minutes and install and configure it so that visitors to their Websites will be shielded from surveillance, came out of beta this week, and it’s already making a huge difference. (more…)

You may need to retcon what they see on 60 Minutes with what they’ve seen over and over again on NCIS and CSI. If you’re lucky, your family also watches Elementary and The Good Wife, CBS shows that keep most of their technobabble close to reality.

So there’s been hype about this big exploit coming, for over a month, before anything was released. It had a name, a website and a logo – and it was called Badlock.

And now it’s out, and it’s more like Sadlock – really a local network DoS against DCE/RPC services on Windows and Linux with some slight chance of pulling off a MiTM. No remote code exeuction, not even privilege escalation.

…

Microsoft hasn’t even labelled it as critical, merely important.

Crucial? As it was marketed, hardly.

…

There is a whole list of CVE’s related, none of them are really critical.

Another questionable point is that the person who ‘discovered’ these bugs, is a member of Samba Core Team..and works on Samba.

So it’s like hey, here’s a bunch of vulnerabilities I found in my own software, let’s make a logo for them and give them a name (which doesn’t even really related to the vulns).

So yah there’s nothing really wrong with branding a vulnerability, to get awareness about something critical – get press coverage and get people fixing it. But this? This is a minor bug, with no real major production impact, only exploitable over a LAN which at words allows for a MiTM.

…

A saw a great quote on Twitter..it went something like:

“All these names for exploits are getting confusing and can be hard to remember/categorise – soon we’ll need to invent some kinda system that assigns numbers to vulnerabilities…”

LOL indeed.

Are these bugs important enough to patch? Oh yes, absolutely. Did they need a month of marketing, a logo and a name to raise awareness? Absolutely not. They could have slid into regular, automated patch updates along with all other ‘important’ patches.

It could have been a interesting story about a whole series of bugs in SAMBA, but it became a huge discussion about the Badlock clownshow. Sad.